Cooley Discusses “Internal Control over Sustainability Reporting”

Under the pressure of institutional investors, environmental groups, employees, consumers and other stakeholders, many companies have sought to demonstrate their bona fides when it comes to ESG through disclosure about their sustainability efforts, goals and achievements, whether in periodic reports or in separate sustainability reports.  But, as reporting increases, so do concerns by some about potential greenwashing.  How can companies assure the quality of their sustainability reporting and create more trust and confidence among stakeholders? One way might be through effective internal controls. So far, however, according to a new report from Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, “[f]ew best practices have been established. While some larger institutions have progressed in building controls around environmental, social, and governance (ESG) reporting, many organizations have designed ad hoc controls around certain key sustainable business metrics. Many also perform internal verification and assurance procedures to ensure management comfort with this information. Yet few of them seem to have developed effective, integrated systems of internal control over their material or decision-useful sustainable business information.” Now, leveraging insights gleaned from development of the most widely used internal control framework—the COSO Internal Control-Integrated Framework—COSO has developed the concept of “internal control over sustainability reporting” (ICSR).  In its new report, which weighs in at 114 pages, COSO provides supplemental guidance that explains and interprets how each of the 17 principles in the 2013 version of the COSO ICIF applies to sustainable business activities and sustainable business information. According to the authors, “[i]nternal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.”  As companies seek to “generate sustained value—ethically and responsibly—over the longer term,” with an emphasis on sustainability and ESG, both companies and their stakeholders need effective controls and oversight to provide the reliable and high-quality data needed for “decision making in this changing world.”

Under the pressure of institutional investors, environmental groups, employees, consumers and other stakeholders, many companies have sought to demonstrate their bona fides when it comes to ESG through disclosure about their sustainability efforts, goals and achievements, whether in periodic reports or in separate sustainability reports.  But, as reporting increases, so do concerns by some about potential greenwashing.  How can companies assure the quality of their sustainability reporting and create more trust and confidence among stakeholders? One way might be through effective internal controls. So far, however, according to a new report from Committee of Sponsoring Organizations of the Treadway Commission, known as COSO, “[f]ew best practices have been established. While some larger institutions have progressed in building controls around environmental, social, and governance (ESG) reporting, many organizations have designed ad hoc controls around certain key sustainable business metrics. Many also perform internal verification and assurance procedures to ensure management comfort with this information. Yet few of them seem to have developed effective, integrated systems of internal control over their material or decision-useful sustainable business information.” Now, leveraging insights gleaned from development of the most widely used internal control framework—the COSO Internal Control-Integrated Framework—COSO has developed the concept of  “internal control over sustainability reporting” (ICSR).  In its new report, which weighs in at 114 pages, COSO provides supplemental guidance that explains and interprets how each of the 17 principles in the 2013 version of the COSO ICIF applies to sustainable business activities and sustainable business information. According to the authors, “[i]nternal controls have value beyond compliance and external financial reporting. Effective internal controls can help an organization articulate its purpose, set its objectives and strategy, and grow on a sustained basis with confidence and integrity in all types of information.”  As companies seek to “generate sustained value—ethically and responsibly—over the longer term,” with an emphasis on sustainability and ESG, both companies and their stakeholders need effective controls and oversight to provide the reliable and high-quality data needed for “decision making in this changing world.”

SideBar

Fraud risk is one topic that typically finds its way onto the agendas of audit committees. In this article, accounting firm Deloitte advises that, with the current attention to ESG and in anticipation of new rulemaking from the SEC on disclosure related to climate, human capital and other ESG-related topics (see this PubCo post), “fraud risk in this area should be top of mind for audit committees and a focal point in fraud risk assessments overseen by the audit committee.” While audit committees focus primarily on financial statement fraud risk, Deloitte suggests that audit committees should consider expanding their attention to fraud risk related to ESG, an area that has not been “governed by the same types of controls present in financial reporting processes,” and, therefore, may be more susceptible to manipulation. In their oversight capacity, audit committees have a role to play, Deloitte suggests, by engaging with “management, including internal audit, fraud risk specialists, and independent auditors to understand the extent to which fraud risk is being considered and mitigated.”

As articulated in the COSO report, internal control is a “process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”  There are five components to the ICIF: control environment; risk assessment; control activities; information and communication; and monitoring activities. There are also three categories of objectives: operations objectives, reporting objectives, and compliance objectives. “Each of the five components contains three to five principles, for a total of 17 principles. These make up the heart of the Framework in describing how effective internal controls can be operationalized. An organization has achieved an effective system of internal controls when all principles are present and functioning.”

SideBar

You may have observed that charges related to violations of the rules regarding internal controls and disclosure controls seem to be increasingly part of the SEC’s Enforcement playbook, with a “control failure” often used as a lever to bring charges against a company.  For example, Enforcement brought charges regarding control violations against GE (see this PubCo post), HP, Inc. (see this PubCo post), Activision Blizzard (see this PubCo post), First American Financial Corporation (see this PubCo post), and Andeavor (see this PubCo post) where, instead of attempting to make a case about funny accounting or disclosure failures or, in Andeavor, a defective 10b5-1 plan, the SEC opted to make its point by, among other things, charging failure to maintain and comply with internal accounting controls or disclosure controls and procedures. These cases underline the importance of maintaining effective controls.  

The initial COSO framework was developed in 1992 to help prevent corporate fraudulent financial reporting. It was revised in 2013. Importantly, the 2013 revised version of the ICIF recognized the importance of expanding the scope of internal control to cover non-financial reporting, which was then beginning to emerge in the form of corporate social responsibility and sustainability. The authors of the report believe that 2013 expansion includes sustainable business information.  They define “sustainable business” as “the activities and transactions that an organization conducts to achieve long-term survival as a going concern and concurrently deliver value that meets the expectations of all stakeholders that contribute resources for the organization to achieve its objectives. Following from this, sustainable business information and sustainable business reporting mean the data or information that reflects an organization’s sustainable business activities and transactions.”

How does conventional financial reporting differ from sustainable business information? While the demand for sustainability information is high and rising, so are concerns about its dependability—e.g., greenwashing. The report observes that stakeholders “often do not have the same level of confidence in the reliability, utility, and quality of currently available information that they have in traditional financial data.”  The report suggests these concerns may derive from three different qualities of sustainable business information and reporting: control v. influence; quantitative v. qualitative; and historical v. forward-looking. The first difference, “control” compared to “influence,” relates to the setting of organizational boundaries; financial reporting defines a “consolidated entity,” but “sustainability reporting may be based on different concepts of ‘control’ or ‘influence.’”  The second difference is the “inherently more qualitative” nature of sustainability information than traditional financial reporting; the “goal is to produce information so that users may assess short-, medium-, and long-term future performance and expectations that relate to an ultimate enterprise value (or going concern value).”  The third difference is that sustainability information is often “more forward-looking and long-term than financial information as organizations set goals and targets. Traditionally, financial accounting rested on the summarization of past transactions and events. Over time, however, reporting evolved to reflect economic expectations and estimates of the future. At its heart, sustainability is about wise use and preservation of resources over the long term. Long-term sustainability targets and goals inform business objectives. Further, communicating long-term goals and targets sets the stage for future reporting on the achievement of targets. The process of estimation is the same, but the time horizon is longer.”

SideBar

In 2021, then-Acting Director of Enforcement Melissa Hodgman, warned that we may well see more ESG disclosure-related enforcement actions. In March, then-Acting SEC Chair Allison Herren Lee announced the creation of a new climate and ESG task force in the Division of Enforcement. (See this PubCo post and this PubCo post.) Recently, Enforcement has fixed its attention on misleading statements in sustainability reporting—greenwashing—even outside of periodic reports. (See, e.g., this PubCo post and this PubCo post.) And just last year, we saw settled charges in connection with, among other things, disclosure failures regarding environmental contamination and related financial risks, a failure the SEC also attributed to inadequate controls. (See this PubCo post.)

Importantly, the COSO framework contemplates an integrated system, one that is “holistic. An organization’s entire integrated system supports how it achieves its objectives, and effective external ESG reporting rests on the totality of these enterprise-wide processes. Moreover, rather than bright-line differentiation, the substance of the respective components, principles, and points of focus overlap. Indeed, as the title indicates, the intention is integration.”  And now, many companies are “creating multifunctional teams that bring together a company’s sustainability, finance and accounting, risk management, legal, and internal audit professionals” with expertise in the “many dimensions of sustainable business.”

Action points. To achieve effective ICSR, the framework begins with five “action points”:

  1. “1. Commit to integrity by stating your purpose: One of the key elements of beginning a sustainable business program is the articulation of an organization’s purpose and commitment to acting with integrity. In many cases, an organization can look to its existing mission statement and values. In other cases, however, it may prove beneficial to consider a broader perspective: the reason that stakeholders contribute their precious resources to an organization and what they expect in return.
  2. Determine objectives: The organization establishes, documents, and communicates internal and external sustainable business objectives and establish measurement and reporting principles for specific sustainable business factors with sufficient detail that they may be applied properly and considered in assessing potential risks in the process of preparing sustainable business data.
  3. Identify and assess risks (and consider opportunities): To identify significant risks, the organization evaluates the relevant qualitative and quantitative risk factors—for example, those that might result in a misstatement—that are reasonably likely to jeopardize the achievement of its sustainable business objectives. This includes a determination of the extent of the risk and whether and how it may be managed. Moreover, one of the key benefits of developing and implementing sustainable business initiatives is highlighting means for turning risks into strategic opportunities, such as reduced waste, enhanced stakeholder engagement, and improved resource deployment.
  4. Identify control activities: With an understanding of the risks to achieving sustainable business objectives and the processes that underpin the measurement, management, and reporting of the data, the organization identifies specific control activities to manage a risk or mitigate it to an acceptable level.
  5. Evaluate effectiveness: Having established internal control over sustainable business activities and ESG disclosures, the organization can regularly evaluate system design and operation to determine whether or not the Framework components and principles…  are present and functioning.”

Key takeaways. The report also identifies a number of key takeaways.  First is the importance of creating a culture of accountability: everyone involved must understand the “strategic significance of organizational performance on key issues as well as the critical importance of effective controls to ensure that decision makers have access to reliable information about that performance.” Second, the company must continually “consider—and reconsider—how its stated mission or purpose drives its objectives.” The company’s objectives should “be balanced, harmonized, and understood throughout the organization. Effective controls begin by considering this balance.” A consistent theme is the importance of creating a cross-functional team with diverse skills and perspectives, drawn from “finance and accounting; sustainability; environmental, health, and safety (EH&S); risk management; internal audit; investor relations; strategy; operations; information technology (IT); compliance; human resources; and legal” and perhaps even from “key value chain partners.” A cross-functional team can be a “valuable early step to start the integration process.”

Other key takeaways relate to the value of leveraging the skills, expertise and systems that the company already has.  Developing ICSR is probably not the company’s first controls rodeo, and while ICSR is new, the company should be able to build on existing experience and models. The CFO and the rest of the financial team have experience in developing and applying controls for ICFR, as well as in “data measurement, management, reporting, and analysis.” That expertise should be leveraged to educate other internal groups on quality and integration into “ongoing performance management and the periodic external reporting cycle.” Similarly, the operations teams “have valuable insights into how an organization is actually producing the goods and services that are being delivered.” In addition, it should be possible to adapt some of the processes and controls used for ICFR to apply to ICSR. The report identifies, as an example, modifying “automated controls built into IT platforms, data governance policies, or established monitoring techniques” for the design and development of the control system over sustainability data. Companies may want to “consider how they might adapt existing or emerging technologies. The systems around sustainable business information are often immature and depend on spreadsheets with few formal controls. By incorporating this information into IT platforms with well-established controls, an organization can significantly improve decision-maker confidence in data that has previously been measured, validated, managed, and reported outside the formal financial control environment.”

While companies might be overwhelmed (and perhaps deterred) by the time and cost involved in establishing ICSR in light of the “sheer volume of data” encompassed, companies can approach the task by prioritizing materiality or “decision usefulness.” By viewing sustainability through that lens, a company “can focus on covering a small subset of metrics that are most important to its success over time by reducing risk and contributing to growth and value creation.” However, the report recognizes that it takes time to “design and refine a system of controls that fully supports reporting objectives.” To that end, “it’s important to begin the conversation sooner rather than later. Each of these lessons is likely to prove more valuable to an organization that has integrated its sustainability practices and business strategy. Just as an entity’s control environment provides the foundation for effective ICFR, it is also an essential starting point for designing, implementing, and maintaining an effective system of internal control over decision-useful sustainable business information.”

According to the COSO Chair, “[m]ore companies are now in various stages of implementing controls and governance processes over the collection, review, and reporting of sustainability information….In many ways, sustainable business reporting is still subject to evolution and innovation. As a result, it will be a process of continuous improvement including building internal capacity and relevant assurance.”

This post comes to us from Cooley LLP. It is based on the firm’s blog post, “COSO introduces ‘internal control over sustainability reporting’,” dated April 5, 2023, and available here.